Spyware firm SpyFone leaves customer data, recordings exposed online

SingHealth data breach affects 1.5m patients including Singapore PMSingHealth has said it has notified more than 700,000 patients impacted by the security incident, after revealing last week that non-medical personal details of 1.5 million patients were accessed and copied. Read more: https://zd.net/2JEDqI8

This particular form of malware comes in various forms including keyloggers, modular software capable of taking screenshots, malicious code able to view and steal content such as photos and videos, as well as recorders of text messages, phone calls, and browser histories.

No matter the user, you would think that the companies responsible for developing spyware would do their utmost to protect the information collected on behalf of their customers.

However, it appears that an oversight by spyware developer SpyFone has led to the online leak of terabytes of data belonging not just to customers but also their targets.

California-based SpyFone, marketed as the world's "number one parental monitoring software," also boldly links to articles which describe the offerings as a way for employers to "protect [their] company from inappropriate usage" and to give spouses "peace of mind."

The company says it takes as little as 15 minutes to install the spyware on a target device and there is no indication given to those being watched that anything is amiss with their handsets, which are monitored remotely.

Spyfone's software is able to monitor smartphone activity including SMS messages being sent, record calls, and slurp information from apps including Skype and Whatsapp. One variant of the firm's solution also offers live viewing to customers.

However, this month, the spyware firm's customers have now had their own information leaked alongside their victims after a researcher uncovered an Amazon S3 bucket belonging to the company which had been left unprotected.

Misconfigurations allowed the leak of photos, audio, recordings, text messages, and browsing history. In addition, GPS data, IMEI numbers, names, hashed passwords, and device information was included in the breach.

Speaking to Motherboard, the researcher, who chose to remain anonymous, said he was able to create administrator accounts and view customer data due to a lack of backend security. SpyFone allegedly also left an API unprotected, which could allow anyone able to guess the URL to view an up-to-date list of customers.

The information has been added to Troy Hunt's data compromise search engine Have I Been Pwned, includes terabytes of data which appears to belong to thousands of SpyFone customers.

It is not possible to use the platform to pull this information, but rather, you can check to see whether information belonging to you has been leaked based on an email address.

The data "included 44,000 unique email addresses, many likely belonging to people the targeted phones had contact with," Hunt says.

A SpyFone spokesperson confirmed the leak to the publication and said the incident impacted over two thousand customers. The spokesperson also expressed relief that a researcher had found the weak security point and said SpyFone was investigating the incident.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.